Re: [brakeman] Unescaped parameter value (False Positive?) when using find with parameterized queries
Hi Justin, Sorry, I forgot to mention the following: In the controller I have: @country = Country.find(:all, :conditions => [ "LOWER(name) = ?", params[:name].mb_chars.downcase ]) And in the view I have <%= @country.name %> The warning goes away if I trick Brakeman with this in the controller: params[:name].tap do |name| Country.find(:all, :conditions => [ "LOWER(name) = ?", name.mb_chars.downcase ]) end Thanks! Ronie On 3/13/2015 5:01 PM, Justin wrote: > Hi Ronie, > > Are you sure this is the code generating the warning? I cannot reproduce > the warning. Brakeman should definitely not be warning about this. > > -Justin > > On 2015-03-13 16:55, Ronie Henrich wrote: >> Brakeman is reporting Unescaped parameter value when using find with >> parameterized queries (? or named placeholders). >> >> Country.find(:all, :conditions => [ "LOWER(name) = ?", >> params[:name].mb_chars.downcase ]) >> >> params[:name] = "Robert" >> Generated SQL: >> SELECT * FROM countries WHERE (LOWER(name) = 'robert'); >> >> params[:name] = "Robert');DELETE * FROM countries;" >> Generated SQL: >> SELECT * FROM countries WHERE (LOWER(name) = >> 'robert'');DELETE * FROM countries;'); >> >> >> As ActiveRecord sanitizes the parameters in a parameterized query, is >> there any harm that could still be done with params being unescaped on >> the find above or is it a False Positive? >> >> Thanks! >> Ronie
Re: [brakeman] Unescaped parameter value (False Positive?) when using find with parameterized queries
Hi Ronie, Are you sure this is the code generating the warning? I cannot reproduce the warning. Brakeman should definitely not be warning about this. -Justin On 2015-03-13 16:55, Ronie Henrich wrote: > Brakeman is reporting Unescaped parameter value when using find with > parameterized queries (? or named placeholders). > > Country.find(:all, :conditions => [ "LOWER(name) = ?", > params[:name].mb_chars.downcase ]) > > params[:name] = "Robert" > Generated SQL: > SELECT * FROM countries WHERE (LOWER(name) = 'robert'); > > params[:name] = "Robert');DELETE * FROM countries;" > Generated SQL: > SELECT * FROM countries WHERE (LOWER(name) = > 'robert'');DELETE * FROM countries;'); > > > As ActiveRecord sanitizes the parameters in a parameterized query, is > there any harm that could still be done with params being unescaped on > the find above or is it a False Positive? > > Thanks! > Ronie
[brakeman] Unescaped parameter value (False Positive?) when using find with parameterized queries
Brakeman is reporting Unescaped parameter value when using find with parameterized queries (? or named placeholders). Country.find(:all, :conditions => [ "LOWER(name) = ?", params[:name].mb_chars.downcase ]) params[:name] = "Robert" Generated SQL: SELECT * FROM countries WHERE (LOWER(name) = 'robert'); params[:name] = "Robert');DELETE * FROM countries;" Generated SQL: SELECT * FROM countries WHERE (LOWER(name) = 'robert'');DELETE * FROM countries;'); As ActiveRecord sanitizes the parameters in a parameterized query, is there any harm that could still be done with params being unescaped on the find above or is it a False Positive? Thanks! Ronie
[brakeman] Unescaped parameter value (False Positive?) when using find with parameterized queries
Brakeman is reporting Unescaped parameter value when using find with parameterized queries (? or named placeholders). Country.find(:all, :conditions => [ "LOWER(name) = ?", params[:name].mb_chars.downcase ]) params[:name] = "Robert" Generated SQL: SELECT * FROM countries WHERE (LOWER(name) = 'robert'); params[:name] = "Robert');DELETE * FROM countries;" Generated SQL: SELECT * FROM countries WHERE (LOWER(name) = 'robert'');DELETE * FROM countries;'); As ActiveRecord sanitizes the parameters in a parameterized query, is there any harm that could still be done with params being unescaped on the find above or is it a False Positive? Thanks! Ronie
